3.1.20 — Control Outside Connections

The One-Liner

If you don’t have a map of every connection between your CUI environment and the outside world, you have uncontrolled exposure.

What It Says

Verify and control/limit connections to and use of external systems.

What It Actually Means

“External systems” means anything outside your assessment boundary:

• The public internet
• Partner networks
• Your own non-CUI networks
• Cloud services
• Personal devices

For every connection, you need to: identify it, verify it’s authorized, and control what can flow through it. Block personal devices from CUI resources. Restrict cloud services to approved ones. Document every network connection to partners or external systems.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are external connections identified?	A complete list of every connection to outside systems
2	Is external system use identified?	You know what external systems your people use for CUI work
3	Are connections verified?	Each one is confirmed as authorized
4	Are connections controlled/limited?	Technical enforcement — not just policy

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, external system use procedures, terms and conditions, system security plan, list of applications accessible externally, system config, connection agreements

People they’ll talk to: Personnel defining external access terms, sysadmins, information security staff

Live demos they’ll ask for: “Show me your external connection inventory. Try to access CUI from a personal device — show me it’s blocked.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are all connections to external systems outside the assessment scope identified?”
• “Which external systems are permitted to connect?”
• “What methods ensure only authorized connections?”
• “How do you prevent personal devices from accessing CUI?”

Real-World Example

A contractor maintains an external connection register listing: internet gateway, VPN to prime contractor, M365 GCC High, AWS GovCloud, and the managed SIEM provider. Each connection has an owner, purpose, and approval date. Conditional Access blocks non-compliant devices. CUI cloud resources are restricted to approved services via Entra app consent policies.

---

Where Companies Trip Up

Shadow IT. Employees using personal Dropbox, Google Drive, or WhatsApp for CUI. DLP and CASB catch this.

No connection inventory. You don’t know all the external connections from your CUI environment.

Partner connections uncontrolled. VPN tunnels to partners with no access restrictions or monitoring.

Personal devices. No technical controls preventing CUI access from personal laptops or phones.

---

How to Talk About This

To a CEO or Board

We’ve mapped every connection between our CUI environment and the outside world. Each one is documented, approved, and controlled. Personal devices and unapproved cloud services are blocked.

To an Engineering Team

External connection register maintained in ITSM. Conditional Access enforces compliant devices only. Entra app consent policies restrict cloud apps. Partner VPNs have firewall ACLs limiting access to approved resources.

---

Connected Requirements

Requirement	Why it matters here
3.1.1 — Who Gets In	Foundational access control
3.1.3 — Where CUI Can Flow	Controlling CUI movement to/from external systems
3.13.1 — Guard the Boundaries	Monitoring at external boundaries

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.20 | SPRS Weight: 1 point | POA&M Eligible: Yes